Closed
Bug 844766
Opened 11 years ago
Closed 11 years ago
TSan: Thread data race in js::MaybeGC(JSContext*) vs. js::gc::Chunk::releaseArena
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: posidron, Assigned: jonco)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [tsan][tsan-test-blocker][qa-])
Attachments
(2 files)
19.66 KB,
text/plain
|
Details | |
2.37 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
During Firefox start-up with ThreadSanitizer (LLVM version), we get a data race reported as described in the attached log. Trace was created on mozilla-central with changeset 122820:c233837cce08. According to the TSan devs, most of the reported traces should be real data races, even though they can be "benign". We need to determine if the race can/should be fixed, or put on the ignore list. Even for benign races, TSan devs suggest to fix them (second priority), as they can also cause problems [1]. [1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
Comment 1•11 years ago
|
||
Ccing bhackett and billm for some help here :)
Comment 2•11 years ago
|
||
In this bug, bug 844768, and bug 844755 sweeping is involved, so maybe JonCo has some idea what is going on.
Assignee | ||
Comment 3•11 years ago
|
||
It looks like Zone::gcBytes which is being updated by the background thread and read by the main thread to determine whether to do a GC. So a race can change exactly when a GC happens, but I don't think this is something we care about.
Comment 4•11 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #3) > It looks like Zone::gcBytes which is being updated by the background thread > and read by the main thread to determine whether to do a GC. So a race can > change exactly when a GC happens, but I don't think this is something we > care about. If the race decides when a GC happens, then fixing the race would make test cases possibly more deterministic which could help fuzzing and debugging. I don't know though if fixing the race is possible without any side effects, but if it is, then it would be really nice to have.
Assignee | ||
Comment 5•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #4) Even if we changed this, the timing of the GC would still depend on thread scheduling of main vs. background thread, so I don't think this would actually make it deterministic.
Comment 6•11 years ago
|
||
Thanks, that makes sense :) I'll work on a patch to ignore this function then when bug 847350 is through (see also bug 844755 comment 6).
Assignee: nobody → choller
Depends on: 847350
Assignee | ||
Comment 7•11 years ago
|
||
Here's a patch to make gcBytes use atomic operations, rather than volatile. Can you check to see whether this fixes the TSAN warning?
Assignee: choller → jcoppeard
Status: NEW → ASSIGNED
Flags: needinfo?(choller)
Comment 8•11 years ago
|
||
I finally was able to reproduce the original issue. And I can confirm that the patch fixes it :)
Flags: needinfo?(choller)
Assignee | ||
Comment 9•11 years ago
|
||
Comment on attachment 821581 [details] [diff] [review] Bug844766-gcBytes This is a patch to replace use of volatile with atomic operations for the gcBytes member in JSRuntime and Zone, which is accessed from multiple threads. The main motivation for this is to stop TSAN generate spurious warnings, but it's also nicer because this makes it explicit that this data is accessed from different threads. I chose the ReleseAcquire memory ordering because that will lead to more deterministic operation without any real penalty. In practice, for gcBytes I think Relaxed ordering would work as well.
Attachment #821581 -
Flags: review?(wmccloskey)
Comment on attachment 821581 [details] [diff] [review] Bug844766-gcBytes Review of attachment 821581 [details] [diff] [review]: ----------------------------------------------------------------- We really need to document these Atomics.h better.
Attachment #821581 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 11•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cd2d19e4e258
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cd2d19e4e258
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Whiteboard: [tsan][tsan-test-blocker] → [tsan][tsan-test-blocker][qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•